MISC-43: Set up to sign Github commits

For this I'm going to generate a new key to use for signing, and then sign that with my main key (i.e. the one that has a public key published here - https://www.bentasker.co.uk/about-me )

I already have GNUPG installed, so it's just a case of creating and signing a key

ben@milleniumfalcon:~$ gpg --gen-key

gpg: key 4C1EBA9B marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2024-08-27
pub   4096R/4C1EBA9B 2020-11-05
      Key fingerprint = EFDA 29FF 1E38 9DA3 55A1  2A16 8DC6 5217 4C1E BA9B
uid                  B Tasker (Code Signing Key) <github@<Domain Hidden>>
sub   4096R/9DBA26B6 2020-11-05

For further commands, want to capture the key ID

ben@milleniumfalcon:~$ MY_KEY=$(gpg --list-secret-keys --keyid-format LONG | grep ^sec | tail -1 | cut -f 2 -d "/" | cut -f 1 -d " ")

So, we want to sign the key with my main key

ben@milleniumfalcon:~$ gpg --sign-key $MY_KEY

Send the signed key to keyservers so they can be verified outside of Github if needed

ben@milleniumfalcon:~$ gpg --keyserver pgp.mit.edu --send-keys $MY_KEY
gpg: sending key 4C1EBA9B to hkp server pgp.mit.edu
ben@milleniumfalcon:~$ gpg --keyserver keyserver.ubuntu.com --send-keys $MY_KEY
gpg: sending key 4C1EBA9B to hkp server keyserver.ubuntu.com

Now export it

ben@milleniumfalcon:~$ gpg --armor --export "${MY_KEY}" > signing_keys.txt

Added to Github here - https://github.com/settings/keys

Time to configure git and then do a test commit

ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global commit.gpgsign true
ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global tag.gpgsign true
ben@milleniumfalcon:~/Documents/src.old/dns.bentasker.co.uk$ git config --global user.signingkey "${MY_KEY}"

Commit shows as verified - https://github.com/bentasker/dns.bentasker.co.uk/commit/d12f725aa589ea16d1551cf8d4507cddbe307c22

One change I have made - although I originally had GnuPG installed, it pushed a GUI prompt every time my key needed unlocking - quite jarring.

So I've switched to it using a CLI based prompt

sudo apt-get install pinentry-tty
sudo update-alternatives --config pinentry

Key also uploaded to Gitlab - https://gitlab.com/-/profile/gpg_keys

Gitlab seem to have additional steps required, otherwise the GPG key shows up as "Unverified" - need to have added the email address to the account (here: https://gitlab.com/-/profile/emails)

Created a repo to act as a backup and pushed my DNS repo there, commit shows as verified - https://gitlab.com/bentasker/dns.bentasker.co.uk/-/commit/d12f725aa589ea16d1551cf8d4507cddbe307c22

I've created a repo to house copies of my keys so that the paranoid can validate for themselves, there's a copy in both Github and Gitlab

- https://github.com/bentasker/pgp_public_keys
- https://gitlab.com/bentasker/pgp_public_keys

Which means they're ultimately also mirrored at https://publicrepos.bentasker.co.uk/projects/pgp_public_keys.git/trees

Relevant Key IDs are

- 4C1EBA9B
- 6E08CD6F

With the following fingerprints

pub   4096R/6E08CD6F 2014-08-30 B Tasker (Main Key) <ben@<Domain Hidden>>
 Primary key fingerprint: C01D 970B 3A24 1689 2C1E  D42F B7EF 7548 6E08 CD6F

pub   4096R/4C1EBA9B 2020-11-05 B Tasker (Code Signing Key) <github@<Domain Hidden>>
 Primary key fingerprint: EFDA 29FF 1E38 9DA3 55A1  2A16 8DC6 5217 4C1E BA9B